AOL's Embarassing Password Woes 192
An anonymous reader writes "AOL.com users may think they have up to sixteen characters to use as a password, but they'd be wrong, thanks to this security artifact detailed by The Washington Post's Security Fix blog:
"Well, it turns out that when someone signs up for an AOL.com account, the user appears to be allowed to enter up to a 16-character password. AOL's system, however, doesn't read past the first eight characters."
This means that a user who uses "password123" or any other obvious eight-character password with random numbers on the end is in effect using just that lame eight-character password."
Nothing new (Score:4, Interesting)
Same as in Linux (Score:0, Interesting)
So that's the same as in most (all?) Linux distributions by default.
Standard crypt problem (Score:5, Interesting)
We switched to a new content management system and gleefully informed users that their new default password was (an organization-standard eight-character string) followed by their username.
We realized something was wrong when someone noticed that all the password hashes were the same.
(The fix: find a new better hash function.)
Even better (Score:5, Interesting)
I quickly found that I could not log on to my account. I was wondering whether I misspelled my password or something, when I noticed (while reading the FAQ) in small print "Passwords must be 8 characters or less." Now, no warning of this was given anywhere on the sign up form.
In shock, I realized what the issue must have been. Sure enough, trying to log on with password "DaedAEca" worked like a charm.
Yes, not only did they not warn the user that there was a maximum on the password length while signing up, and not only did their form accept my 16-char password, but it actually would not let me log in with the full password. Man, I was pissed and confused for a while...
Radius? (Score:4, Interesting)
1. Log into AOL and only use the first 8 characters
2. Log into the AOL webmail and only use the first 8 characters.
This may indicate if the limitation is the sign in solution, or the entire userdb backend.
cluge
Its actually worse than that (Score:5, Interesting)
They also don't hash passwords anymore in your registry from AIM6 onward. They encrypt them, but that's a lot easier to get around than hashing.
If you really want a more detailed explanation you can take a look at the 12/29/06 and 12/30/06 posts on this page - http://tsourceweb.com/ [tsourceweb.com] - but what I already mentioned is the crux of the issue. (We all know people on Slashdot dont like to read articles anyway
Re:Radius? (Score:2, Interesting)
(and yes that...sickeningly...means I actually used AOL for some time...)
I had a problem logging in to the AOL webmail because it *does not* truncate to the first 8 characters and I *thought* my password was longer than 8. Thus logging into the AOL app worked fine, but I had to manually truncate to 8 characters to get webmail working.
I thought it was a problem on my end so I IM'd support. After a few painful minutes of trying to work with that moron I figured out what it was...and suggested they add it to their help notes for the next time someone calls in on it.
Re:Not alone, Apple too (Score:5, Interesting)
Re:Not alone (Score:0, Interesting)
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
MD5_CRYPT_ENAB yes
Maybe it's just me, but having a hardcoded default of 8 significant characters is really stupid especially when the alternative is just plain better. Is there any distro that _doesn't_ override these by default?
AIX (Score:5, Interesting)
Re:Not alone (Score:1, Interesting)
Thank you /. (Score:2, Interesting)
VNC... (Score:2, Interesting)